The Securities and Exchange Commission (SEC) has taken an ad-hoc approach to cloud adoption instead of following its cloud strategy, and did not fully implement security measures, according to a report from the SEC’s inspector general released November 7.
The report, redacted for public consumption, notes that the SEC developed a plan for migrating to the cloud in 2017, but did not follow through on it. Instead, the agency adopted cloud outside of an enterprise approach, and migrated individual systems based on business and technical needs.
“As a result, the SEC has not yet fully realized the potential performance and economic benefits attributed to cloud computing services,” the report states.
The cloud agency’s strategy set the goal of launching a number of pilots, migrating an unnamed system to the cloud, and seeing broad scaling of cloud capabilities within five years. However, the audit found that the SEC failed to track its progress towards the strategy, did not migrate the unnamed system, and has only launched two cloud pilots that are set to become enterprise programs.
“The conditions we observed occurred because the SEC did not coordinate or collaborate on cloud strategies at an enterprise level. For example, key stakeholders; including the CIO, as well as OIT [Office of Information Technology] and OA [Office of Acquisitions] officials, did not work together to review the SEC’s IT portfolio and employ best practices for adopting cloud computing services,” the IG states.
In addition to the lack of progress, the audit found incomplete security assessment reports, systems missing FedRAMP baseline controls, and contracts that did not include security requirements. Security assessment reports did not include information about cloud service provider vulnerabilities and FedRAMP authorization package information.
“The conditions we observed occurred because OIT had not developed policies and procedures specific to cloud system security, or adequate processes to ensure compliance with FedRAMP baseline controls and enhancements for which the agency is responsible,” the report states.
The inspector general made three recommendations to improve planning and security, all of which SEC officials concurred with.